Firejail
Firejail (GitHub, ArchWiki) is a sandboxing tool. It lets you run a program and limit its access to your computer.
By default, all users can use Firejail. This may be undesirable (since it has SUID privileges) so you can restrict the users who can run Firejail by creating /etc/firejail/firejail.users
. Only the users with the names listed in this file may run Firejail.
Snippets
Here are some examples of things you can do with Firejail.
Useful Flags
--net=none
no internet access.
Run a shell with its home set to the current directory
firejail --disable-mnt --private=. --tab $SHELL
This spawns a shell in the current directory for which your home directory appears to be the directory from which you ran the above command. Your actual home directory, as well as the home directories of other users will be invisible to the shell and any process spawned from it.
Without the --tab
option, tab completion will not be available to the shell, which can be cumbersome. If tab completion gets disabled for the directory, the setting is stored in a file called .inputrc
in that directory. Tab completion can be restored by editing or removing the .inputrc
file.